Washington, D.C.—Hackers at all levels have new capabilities at their disposal, said Leo Taddeo, former special agent in charge of the Special Operations/Cyber Division of the FBI's New York Field Office. Taddeo is now the chief security officer at Cryptzone, which is entering the U.S. market after years of successful growth in Europe. "Unfortunately," he said, "there's no improvement in our ability to deter that capability."
I interviewed Taddeo before his presentation at the International Spy Museum here. Taddeo, who is in the middle of a cyber-security seminar series sponsored by Cryptzone., said that there are a number of factors that make cyber-security more difficult now than it once was. "It's hard to deter China in anything they're doing," he said.
But the problem goes far beyond just nation-states hacking for military and commercial intelligence. "At the low end are the script kiddies, the hobby hackers," he said. Those are people who break into networks for recreation, or perhaps bragging rights, but are now getting much better tools to help them do it.
In the middle are the cyber-criminals who are hacking for money, and who are now getting their hands on information and software from nation-states, and are learning how to use it.
Complicating the task of keeping the hackers out of networks is the fact that they realize the risks are very low. While the penalties for getting caught can be severe, the fact is that despite the concerted efforts of law enforcement, most hackers are never caught. Because the risks are so low and the level of danger is so high, Taddeo said that it's critical for enterprises to make sure their defenses are up to the task.
Part of the process of being up to the task is having your company's leadership on board, but Taddeo cautioned that getting managers on board can't be done just by presenting them with a ROI presentation. "It's not an ROI calculation," he said. Worse, he said that when security is presented as an ROI calculation, it depends on factors that simply can't be known, and because of that, the calculation can't really make sense.
In reality, security is about protecting your brand, Taddeo explained. He said that corporate leadership can usually understand the damage that will come to their brand, and as a result to their company, in the event of a major breach.
This is important because building an enterprise security solution requires significant investments in structure, both of the security and of the enterprise itself. Depending on the company, it may require breaking open silos of information, it may require building communications networks so that managers in different parts of the company can talk to each other, and it needs to be a structure that's resilient so that a breach in one place doesn't place the entire enterprise at risk.
"A lot of companies spend money on perimeter defense," Taddeo said, "but more needs to be spent on hardening the interior."
Taddeo echoed the words of former cyber-security director Richard Clarke, who in an interview with eWEEK earlier this year, said that it was pointless to think that perimeter defenses could keep hackers at bay. At the time, he said, "The bad guys are already in your network."